Problem after update AD password

Question

Problem after update AD password

rodsmr opened this issue 3 years ago · 11 comments

Environment

DNN 9.9.0
DNN Azure AD Provider 4.0.4
Windows Server 2012 R2

Problem
I've update Azure Active Directory AAD password few days ago; after this change, I try to login my site and I've got the attached error

If I discard the save user/pw and try new value (same email but different PW), I can login

Is it normally?
Is it depend on AAD config?
How to avoid it?

Thanks for the support, best regards

Answer 1 · 2021-07-20T12:41:41.000Z

I need to reopen this issue. Today an user updates its AAD password and it has the same problem

Answer 2 · 2021-07-20T12:44:11.000Z

@rodsmr , does the user have a Microsoft LIVE account with the same credentials as their AAD account?

Answer 3 · 2021-07-20T12:46:35.000Z

@rodsmr , does the user have a Microsoft LIVE account with the same credentials as their AAD account?

I suppose yes (but I really dont know). Is there a way to debug?

Answer 4 · 2021-07-20T12:52:24.000Z

I'm not sure if there is a way to debug but we have had instances (not specific to DNN) where users had both a Personal Microsoft Live Account and an AAD Account with the same credentials. When this happens, I have seen instances where they will be redirected to https://login.live.com/ to login instead of https://login.microsoftonline.com/

If the user is logging into login.live.com instead of login.microsoft.com, you will get the error message you sent. Just one thought.

Answer 5 · 2021-07-20T12:55:00.000Z

@swalker1595 thanks. Can I force to use https://login.microsoftonline.com/ instead of https://login.live.com/ ?

Answer 6 · 2021-07-20T12:55:50.000Z

In fact, I was just able to recreate your exact issue by logging into our DNN tenant with my personal (Non-AAD) credentials:

Answer 7 · 2021-07-20T13:00:47.000Z

I don't think there's any way to prevent this as it's Microsoft's intended behavior to redirect users to login.live.com

I hate linking to external sites but here's some documentation I found:
https://stackoverflow.com/questions/37245600/how-to-prevent-redirect-from-login-microsoftonline-com-to-login-live-com-while-u
https://docs.microsoft.com/en-us/answers/questions/34806/azure-ad-404-error-when-login-with-microsoft-accou.html
https://answers.microsoft.com/en-us/outlook_com/forum/all/loginmicrosoftonlinecom-redirecting-to/34fc19c7-6523-4a0f-b210-7c26b13c8316

Answer 8 · 2021-07-20T13:14:56.000Z

@swalker1595 thank you very much, I read your docs!

Answer 9 · 2021-07-30T08:22:29.000Z

Hi @swalker1595
From Microsoft OAuth 2.0 doc , I modify the AzureClient.cs code to add new QueryParameter("prompt", "login") at Authorize() method

I think this configuration can be choose by user during configuration. @davidjrh what do you think about my idea?

Answer 10 · 2022-02-04T11:53:44.000Z

This sounds like an advanced setting to set through a dropdown and the corresponding help shown below.

Answer 11 · 2022-11-03T19:23:06.000Z

Fixed on PR #69

Thanks @alendv for the contribution.